Using ACID 193
Figure 6-7 Searching database using ACID.
194 Chapter 6 • Using ACID and SnortSnarf with Snort
Figure 6-8 Searching for all alerts that contain “ATTACK RESPONSE” string in the signature.
Using ACID 195
Figure 6-9 Result of query used in Figure 6-8.
196 Chapter 6 • Using ACID and SnortSnarf with Snort
Figure 6-10 Unique destination addresses for alerts in Snort database.
Using ACID 197
6.3.5 Searching whois Databases
To get whois information about a particular address, you can click on any address and select a particular whois database, like American Registry for Internet Numbers
ARIN at http:www.arin.net. The response to such a query for IP address 66.236.16.52 is shown in Figure 6-11.
This information is very important for incident response. This is usually the first step to finding out the owner of the attacking IP address and hisher contact number.
After finding this information, you can contact the owner to stop bad guys from probing your network.
Figure 6-11 Response to whois query.
198 Chapter 6 • Using ACID and SnortSnarf with Snort
6.3.6 Generating Graphs
Generating graphs is still experimental in ACID at the time of writing this book. I have included it for the sake of introducing this interesting feature. You can go to the
ACID main page where a link is provided to generate graphs. When generating graphs, you can select data and type of graph. For example, you can generate a line or bar graph
for alerts in the last five days. Figure 6-12 shows a sample bar graph for the alert data.
ACID uses the PHPLOT package on the backend side to generate these graphs. You can also use another package, JPGRAPH in place of PHPLOT. JPGRAPH has a
different licensing scheme and there may be some restrictions for using it in commer- cial environment.
N O T E The functionality described in this section is just an overview of ACID capabilities. In addition to the tasks presented here, you can also use ACID to
archive data, delete data from the database and so on.
6.3.7 Archiving Snort Data
You have created a new database called snort_archive in the previous sec- tions to archive the data from the main Snort database. Using ACID, you can either
move alerts from the main database to the archive database or just copy them. For example, if you want to move all alerts from the main database to the archive database,
click the number next to “Total Number of Alerts” on the main ACID page. The next page displays all of the alerts in the database. If the number of alerts is more than 50,
then only the first 50 alerts are displayed. Now you can use the bottom part of the screen to archive the alerts as shown in Figure 6-13. Note that only the bottom part of
the browser window is shown in this figure.
If you click the “Entire Query” button in Figure 6-13, all alerts will be moved to the archive database. The result of this action is shown in Figure 6-14.
Using ACID 199
Figure 6-12 Graph of alert data.
200 Chapter 6 • Using ACID and SnortSnarf with Snort
Figure 6-13 Moving alerts to the archive database.
Figure 6-14 Result of moving alert data to archive database.
Using ACID 201
6.3.8 ACID Tables
When you start using ACID for the first time, it creates its own tables in the Snort database. These tables are used for housekeeping functions of ACID. For exam-
ple, you can create new alert groups called AG in ACID and ACID keeps a record in its own tables. This section shows a list of MySQL database tables before and after
configuring ACID. The following is a list of tables as they appear before using ACID for the first time.
mysql show tables; +------------------+
| Tables_in_snort | +------------------+
| data | | detail |
| encoding | | event |
| flags | | icmphdr |
| iphdr | | opt |
| protocols | | reference |
| reference_system | | schema |
| sensor | | services |
| sig_class | | sig_reference |
| signature | | tcphdr |
| udphdr | +------------------+
19 rows in set 0.01 sec
mysql
The following is a list of tables after the creation of ACID tables in the database. The user name that was used for ACID must have permission to create new tables.
Refer to Chapter 5 for information about granting permissions.